Posts: 4
Threads: 1
Joined: May 2011
Hi guys, I'm not sure where to post this but here goes. I have successfully installed commentics to try it out. Note that the only thing that failed the installation check was the Mbstring module check. What does that mean? As noted on the checker that mbstring should be disabled or I would see extra apostrophes. But I noticed when I tested posting on it there appears to be extra slashes before an apostrophe on the posts. How can I fix that?
Posts: 2,904
Threads: 59
Joined: Jun 2010
Hi,
I think you mean that it was 'Magic Quotes' that failed the System Check as that would explain why there are extra slashes and if Mbstring failed then the installer would not let you continue.
What you need to do is disable Magic Quotes. This is usually done in your server's PHP.ini file. There are tutorials on the Internet for how to do it or your host can help if you're not sure.
Have
you completed
the interview?
Posts: 4
Threads: 1
Joined: May 2011
Oh yes, I meant Magic Quotes failed the check. Sorry I was confused as I tested on another server also mbstring and magic quotes failed. Okay, I will try to check how to disable magic quotes in the php.ini file. Thanks for the help.
(01-Jun-2011, 06:13 PM)Steven Wrote: Hi,
I think you mean that it was 'Magic Quotes' that failed the System Check as that would explain why there are extra slashes and if Mbstring failed then the installer would not let you continue.
What you need to do is disable Magic Quotes. This is usually done in your server's PHP.ini file. There are tutorials on the Internet for how to do it or your host can help if you're not sure.
Posts: 4
Threads: 1
Joined: May 2011
Yep, I fixed it. First I added the line 'magic_quotes_gpc = Off' to php.ini. That didn't seem to work. I created another one named php5.ini which only contained that one line and it worked. Thanks!
On the other hand I have another question regarding magic quotes. If magic quotes is disabled how does our commentics script handle mysql injections?
Posts: 2,904
Threads: 59
Joined: Jun 2010
The script uses the mysql_real_escape_string() function on all data. This escapes it so that it is no longer vulnerable to SQL injection attacks. Magic Quotes does the same thing, so if it's enabled then the data will be escaped twice like you experienced. Magic Quotes was created so that amateur programmers who didn't know how to escape data would be protected from injections but the problem is that not all servers have it enabled so, if the script is to be distributed like Commentics and used on different servers, the programmer of the script has to check if Magic Quotes is enabled or not so that the data is only escaped once. Therefore the concept of Magic Quotes is a bit of a nightmare in that situation and this is why it is being completely removed from PHP 6. Considering this I took the decision to not write any code to deal with Magic Quotes and instead request the website owner to disable it.
Have
you completed
the interview?
Posts: 4
Threads: 1
Joined: May 2011
Ah now I see. That is very interesting. I will remember this. Thanks!
(02-Jun-2011, 09:49 AM)Steven Wrote: The script uses the mysql_real_escape_string() function on all data. This escapes it so that it is no longer vulnerable to SQL injection attacks. Magic Quotes does the same thing, so if it's enabled then the data will be escaped twice like you experienced. Magic Quotes was created so that amateur programmers who didn't know how to escape data would be protected from injections but the problem is that not all servers have it enabled so, if the script is to be distributed like Commentics and used on different servers, the programmer of the script has to check if Magic Quotes is enabled or not so that the data is only escaped once. Therefore the concept of Magic Quotes is a bit of a nightmare in that situation and this is why it is being completely removed from PHP 6. Considering this I took the decision to not write any code to deal with Magic Quotes and instead request the website owner to disable it.
